Coreboot is a modern and lightweight replacement for computers’ proprietary firmware (BIOS or UEFI). It is designed to perform only the minimum number of tasks necessary to load and run a modern operating system, such as PureOS. It brings increased performance and security, avoiding widespread security issues (see “What the CIA Vault 7 Documents Mean“, follow-up posts #1, #2, #3, etc.), and will allow us to provide Heads as part of our product offering in the future.

Coreboot will soon be available for download for the Librem 13 and Librem 15 as an easy-to-use installer script, which will allow you to update to coreboot with proper checks and safeguards in place, and various options you can choose:

If your OS was installed in UEFI mode, you will need to reinstall it, or migrate it (see further below) before applying our coreboot image.

(Note: download links are not shown here yet, because we’re still doing Q.A. — we don’t want users accidentally bricking their hardware by flashing development versions; in the meantime you might be curious to check out some of our recently merged code contributions to coreboot)

Since coreboot initializes the bare hardware, it must be ported on a case-by-case basis to every chipset and motherboard—and thus every Purism Librem model. The porting work to other Librem devices is ongoing. You can see our progress through our coreboot timeline page and our freedom roadmap. Don’t forget to keep things in perspective!

Migrating a UEFI-based install

If your existing operating system was installed in UEFI mode (our coreboot installer script will warn you about that), you would not be able to boot it after installing coreboot on your Librem, because the coreboot+SeaBIOS combination does not use UEFI. Additionally, UEFI is using a gpt partition layout, and if you were to simply switch to the old msdos layout, everything on the disk would be lost, so don’t do that! Please follow the instructions below instead, to switch from UEFI to a compatible boot scheme, where GRUB can boot from a gpt partitioned disk without UEFI (using a special 1 MB partition at the start of the disk). Here are the steps:

Back up your data. (disclaimer: the steps below have had only limited testing so far, exercise caution)

Using gparted, prepare the new target partition with one of these two approaches:

Confirming the presence of the correct coreboot image

If you want to feel warm and fuzzy by confirming you have coreboot installed properly after you see the cool Purism logo during boot, here are a few tips to confirm coreboot booted and was installed properly.

Disclaimer: ME neutralization and disablement is an ongoing and repeated effort requiring tailored work across different models and chipsets (for example, we once found the ME cleaner tool to cause problems with Wi-Fi on Skylake, and had to solve that first). As such, in the interest of not delaying your order, sometimes the ME may or may not be factory-disabled at the time of shipment (so please don’t panic if it isn’t); in such situations, we typically provide coreboot image updates that address the issue once we solve it soon after.

Checking whether microcode updates are applied or not in your image

If you flashed the no-microcode rom you can confirm the absence of microcode updates simply by noticing it does not exist from /proc/cpuinfo, if you did have microcode it would show the microcode version, without microcode updates applied there is no version and no microcode line, as demonstrated below.

cat /proc/cpuinfo | grep microcode | wc
0 0 0

Running with or without microcode updates applied comes down to personal preference. Microcode updates from the CPU vendor are meant to fix stability and performance issues, such as this one or this one (for the sake of the example). Purism applies microcode updates in the factory-preloaded coreboot images to ensure system stability, while offering versions of the coreboot images without microcode updates applied, for those who seek them.